A critical vulnerability in Aviatrix Controller is actively exploited to deploy backdoors and cryptocurrency miners in the wild.
A security researcher Jakub Korepta discovered a critical vulnerability, tracked as CVE-2024-50603 (CVSS score: 10.0), in the Aviatrix Controller.
The flaw impacts Aviatrix Controller pre-7.1.4191 and 7.2.x pre-7.2.4996, it allows unauthenticated attackers to execute arbitrary code via improper command neutralization in the API.
The vulnerability is caused by the improper neutralization of user-supplied input, and has been addressed in patched versions 7.1.4191 and 7.2.4996.
The Wiz Incident Response team reported that threat actors are exploiting the flaw in attacks in the wild to deploy backdoors and cryptocurrency miners.
“The Wiz Incident Response team is currently responding to multiple incidents involving CVE-2024-50603, an Aviatrix Controller unauthenticated RCE vulnerability, that can lead to privileges escalation in the AWS control plane.” reads the advisory published by Wiz. “Organizations should patch urgently.”
A proof-of-concept (PoC) exploit is publicly available.
Aviatrix’s PSIRT confirmed the active exploitation of the flaw.
“A vulnerability could allow an unauthenticated user to execute arbitrary command against Aviatrix Controllers.” reads the PSIRT’s advisory. “Aviatrix has seen indications that bad actors are attempting to exploit this vulnerability, and strongly recommends that you take action to protect your controllers.”
In AWS, Aviatrix Controller’s default privilege escalation amplifies the risk of exploitation, enabling cryptojacking and backdoor attacks, per Wiz Research.
According to data gathered by Wiz, around 3% of cloud enterprise environments have Aviatrix Controller deployed. The experts warn that 65% of such environments, the virtual machine hosting Aviatrix Controller, has a lateral movement path to administrative cloud control plane permissions.
Threat actors exploit the vulnerability to mine cryptocurrency with XMRig, deploy Sliver backdoors, and likely enumerate cloud permissions for potential data exfiltration.
“Our investigation of these instances has shown that the threat actors exploiting this vulnerability are abusing their access to mine cryptocurrency using XMRig and deploy Sliver backdoors, presumably for persistence purposes (to avoid losing access if the infected machine is patched).” Wiz concludes.
“While we have yet to see direct evidence of cloud lateral movement, we do believe it likely that threat actors are utilizing the vulnerability to enumerate the cloud permissions of the host and then pivot to exfiltrating data from the victims’ cloud environments.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, Aviatrix Controller)
